openssh unix dev - Nov 2014 - Unable to use ssh-agent with confirmation, when logged in on a virtual terminal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good evening,

sorry if this is the wrong list, I found none that seemed to fit better.

I am trying to get ssh-add with the -c option to work. But I always
get this error:
> Agent admitted failure to sign using the key.
But to start from the beginning.

#################################

On my linux machines (e.g. laptops, ...) I can login without an X
session started/used. The ssh-agent is started from .bashrc. I can
then add an identity with
> ssh-add -c /path/to/keyfile
I try to connect to another server, then the error appears.

I delete the identity from ssh-agent, and add it again without the -c:
> ssh-add /path/to/keyfile
And suddenly I can connect without any errors.

#################################

- - I see this on different machines, mostly running openSUSE. Some are
running ArchLinux, some fedora. All show this error.
- - I see this on physical machines, virtual machines connected via a
console (libvirt/kvm)
- - I get a prompt when trying this using KDE, but although I give my
password, the error appears
- - I also see this if I start a new bash via
> ssh-agent bash
So, I'm puzzled. And I do not know how to debug this. Or where to
start. Or if I understood something completely wrong about the -c option.

Any hints, tipps, tricks are highly appreciated. If you need more
information, please dont hesitate to ask.

Thanks in advance.

Regards,
Johannes
- -- 
Pulling together is the aim of despotism and tyranny. Free men pull in
all kinds of directions.
(Terry Pratchett: The Truth)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlRX1A8ACgkQzi3gQ/xETbJ+cwCfb/7uiIfrkeMdgA4u8xialkgb
gOcAn3XxMFLgOJG0SmR0CLLUR7r5k9c+
=RJFL
-----END PGP SIGNATURE-----

On 03/11/14 20:14, Johannes Kastl wrote:
> Good evening,
>
> sorry if this is the wrong list, I found none that seemed to fit better.
It's the right list.

> I am trying to get ssh-add with the -c option to work. But I always
> get this error:
>> Agent admitted failure to sign using the key.
> But to start from the beginning.
>
> #################################
>
> On my linux machines (e.g. laptops, ...) I can login without an X
> session started/used. (...)
(and instead of asking for confirmation, agent requests fail)
> So, I'm puzzled. And I do not know how to debug this. Or where to
> start. Or if I understood something completely wrong about the -c option.
>
> Any hints, tipps, tricks are highly appreciated. If you need more
> information, please dont hesitate to ask.
>
> Thanks in advance.

The reason is hidden inside ssh-add(1):
> -c Indicates that added identities should be subject to confirmation 
> before being used for authentication. Confirmation is performed by the 
> SSH_ASKPASS program
> mentioned below. Successful confirmation is signaled by a zero exit 
> status from the SSH_ASKPASS program, rather than text entered into the 
> requester.
> DISPLAY and SSH_ASKPASS
> If ssh-add needs a passphrase, it will read the passphrase from the 
> current terminal if it was run from a terminal. If ssh-add does not 
> have a terminal associated with it but DISPLAY and SSH_ASKPASS are 
> set, it will execute the program specified by SSH_ASKPASS and open an 
> X11 window to read the passphrase. This is particularly useful when 
> calling ssh-add from a .xsession or related script. (Note that on some 
> machines it may be necessary to redirect the input from /dev/null to 
> make this work.)

the man page mixes the request for the key password and the confirmation 
prompt, and it can be hard to notice, but ssh-agent is calling the X 
program defined by SSH_ASKPASS variable (defaulting to ssh-askpass). As 
you are using a virtual terminal, you don't have a X11 connection where 
you could be prompt, and thus the agent automatically rejects the signing.
(confirm_key ? ask_permission ? read_passphrase(, RP_USE_ASKPASS) 
[ssh-agent.c:202, readpass.c:180,144])

What you can do is to set SSH_ASKPASS to a cli program that requests the 
confirmation, also you will need to set DISPLAY to some dummy value, 
since $SSH_ASKPASS won't even be called if the DISPLAY variable is not set.

Another solution would be to change openssh to fall back to getpass(1) 
for ask_permission requests if $DISPLAY is not available, but given that 
the code explicitly checks that, the developers may have reasons for not 
doing that (the prompts would on the screen where the agent was 
originally launched, which -depending on what is running there now- can 
get messy, but that seems better than not allowing ssh-add -c at all).

Best regards

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good evening,

On 03.11.2014 Johannes Kastl wrote:
> I am trying to get ssh-add with the -c option to work. But I
> always get this error:
>> Agent admitted failure to sign using the key.
Mark and Angel replied on and off the list, and both suggested that
the SSH_ASKPASS variable is set wrong.

I thought that these variables are for using *graphical* programs to
ask for the passphrase. And on most of my machines, no X server is
even installed. So I thought these variables are not necessary, and it
does not matter it they are empty.

As I replied to Angel, I would have thought that there is a fallback,
but apparently this is not the case. Or it is not working.

However, when I set SSH_ASKPASS to /usr/lib/ssh/ssh-askpass and the
DISPLAY variable to 'foo', I still get the error.

I noticed that on the one machine with the graphical gui, I get the
prompt via kwallet (KDE's password safe), but it is enough to click OK
to allow this request. But I had to unlock my password safe first.

And the SSH_ASKPASS variable is set to /usr/lib/ssh/ssh-askpass on
this machine. So maybe this is really just a prompt for machines with
a running X server...

Regards,
Johannes
- -- 
Coming back to where you started is not the same as never leaving.
(Terry Pratchett)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlRZI2gACgkQzi3gQ/xETbIhDQCeLIoNjCQzwExdizHEbKGC22Jq
zhUAnRakl3qIncNvWRaQRao3/f3J3K+/
=FK4z
-----END PGP SIGNATURE-----